Audit log events reference list (CADF format)
The Open Liberty Audit feature captures auditable events that contain security details from the server runtime environment and applications. You can use the data that is generated from the audit events to analyze the configured environment.
Open Liberty can generate audit events in either CADF or JSON format. The audit events can be captured in the following CADF format types to help identify different areas where the configured environment can be improved:
SECURITY_AUDIT_MGMT
You can use the SECURITY_AUDIT_MGMT event to capture the the audit information from the management of the audit service. The following table provides the fields for the SECURITY_AUDIT_MGMT event and a description of each field:
FIELDS | DESCRIPTION |
---|---|
eventName | Name of the audit event. |
eventSequenceNumber | Sequence number of the audit event. |
eventTime | Time that the event occurred. |
observer.id | Identifier of the observer of the event. |
observer.name | Name of the observer of the event: |
observer.typeURI | Unique URI of the observer of the event: |
outcome | Outcome of the event. |
target.id | Identifier of the target of the action. |
target.typeURI | Unique URI for the target of the event: |
The following example shows the SECURITY_AUDIT_MGMT event that captures the start of the audit service and audit file handler:
{
"eventName":"SECURITY_AUDIT_MGMT",
"eventSequenceNumber":"0",
"eventTime":"2018-07-10 12:15:34.339",
"observer": {
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"name":"AuditService",
"typeURI":"service/server"
},
"outcome":"success",
"target": {
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"typeURI":"service/audit/start"
}
}
{
"eventName":"SECURITY_AUDIT_MGMT",
"eventSequenceNumber":"1",
"eventTime":"2018-07-10 12:15:34.471",
"observer": {
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"name":"AuditHandler:AuditFileHandler",
"typeURI":"service/server"
},
"outcome":"success",
"target": {
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"typeURI":"service/audit/start"
}
}
SECURITY_MEMBER_MGMT
You can use the SECURITY_MEMBER_MGMT event to capture the audit information from SCIM operations or member management. The following table provides the fields for the SECURITY_MEMBER_MGMT event and a description of each field.
FIELDS | DESCRIPTION |
---|---|
eventName | Name of the audit event. |
eventSequenceNumber | Sequence number of the audit event. |
eventTime | Time that the event occurred. |
initiator.host.address | Host address of the initiator of the event. |
initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
observer.id | Identifier of the observer of the event. |
observer.name | Name of the observer of the event: |
observer.typeURI | Unique URI of the observer of the event: |
outcome | Outcome of the event. |
reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of |
reason.reasonType | A value that indicates the underlying mechanism, such as HTTP or HTTPS, associated with the request. |
target.action | What action was being performed on the target. |
target.appname | Name of the application to be accessed or run on the target. |
target.credential.token | Token name of the user that is performing the action. |
target.credential.type | Token type of the user that is performing the action. |
target.entityType | Generic name of the member being acted upon: PersonAccount, Group. |
target.host.address | Host and port of the target. |
target.id | Identifier of the target of the action. |
target.method | Method being invoked on the target, such as, GET or POST. |
target.name | Name of the target. The name includes |
target.realm | Realm name that is associated with the target. |
target.repositoryId | Repository identifier that is associated with the target. |
target.session | Session identifier that is associated with the target. |
target.typeURI | Unique URI for the target of the event: |
target.uniqueName | Unique name of the member being acted upon. |
The following example shows a SECURITY_MEMBER_MGMT user record creation action:
{
"eventName":"SECURITY_MEMBER_MGMT",
"eventSequenceNumber":"13",
"eventTime":"2018-07-24 10:58:45.284 EDT",
"initiator": {
"host": {
"address":"127.0.0.1",
"agent":"Java/1.8.0"
}
},
"observer": {
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"name":"SecurityService",
"typeURI":"service/server"
},
"outcome":"success",
"reason": {
"reasonCode":"200",
"reasonType":"HTTPS"
},
"target": {
"action":"create",
"appname":"RESTProxyServlet",
"credential": {
"token":"adminUser",
"type":"BASIC"
},
"entityType":"PersonAccount",
"host": {
"address":"127.0.0.1:63571"
},
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"method":"POST",
"name":"/ibm/api/scim/Users",
"realm":"sampleCustomRepositoryRealm",
"repositoryId":"sampleCustomRepository",
"session":"myQz9fZu2ZUW0nEUWvEaiQC",
"typeURI":"service/vmmservice/create",
"uniqueName":"cn=usertemp,o=ibm,c=us"
}
}
The following example shows a SECURITY_MEMBER_MGMT user lookup action:
{
"eventName":"SECURITY_MEMBER_MGMT",
"eventSequenceNumber":"14",
"eventTime":"2018-07-24 10:58:45.343 EDT",
"initiator": {
"host": {
"address":"127.0.0.1",
"agent":"Java/1.8.0"
}
},
"observer": {
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"name":"SecurityService",
"typeURI":"service/server"
},
"outcome":"success",
"reason": {
"reasonCode":"200",
"reasonType":"HTTPS"
},
"target": {
"action":"get",
"appname":"RESTProxyServlet",
"credential": {
"token":"adminUser",
"type":"BASIC"
},
"entityType":"PersonAccount",
"host": {
"address":"127.0.0.1:63571"
},
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"method":"POST",
"name":"/ibm/api/scim/Users",
"realm":"sampleCustomRepositoryRealm",
"repositoryId":"sampleCustomRepository",
"session":"myQz9fZu2ZUW0nEUWvEaiQC",
"typeURI":"service/vmmservice/get",
"uniqueName":"cn=usertemp,o=ibm,c=us"
}
}
SECURITY_API_AUTHN
You can use the SECURITY_API_AUTHN event to capture the audit information from the login and authentication for servlet APIs. The following table provides the fields for the SECURITY_API_AUTHN event and a description of each field.
FIELDS | DESCRIPTION |
---|---|
eventName | Name of the audit event. |
eventSequenceNumber | Sequence number of the audit event. |
eventTime | Time that the event occurred. |
initiator.host.address | Host address of the initiator of the event. |
initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
observer.id | Identifier of the observer of the event. |
observer.name | Name of the observer of the event: |
observer.typeURI | Unique URI of the observer of the event: |
outcome | Outcome of the event. |
reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of |
reason.reasonType | A value that indicates the underlying mechanism, such as HTTP or HTTPS, that is associated with the request. |
target.appname | Name of the application to be accessed or run on the target. |
target.credential.token | Token name of the user that is performing the action. |
target.credential.type | Token type of the user that is performing the action, such as, BASIC, FORM or CLIENTCERT |
target.host.address | Host and port of the target. |
target.id | Identifier of the target of the action. |
target.method | Method that is being invoked on the target, such as, GET or POST. |
target.name | Context root. |
target.params | Names and values of any parameters that are sent to the target with the action. |
target.realm | Realm name that is associated with the target. |
target.session | HTTP session ID. |
target.typeURI | Unique URI for the target of the event: |
The following example shows a SECURITY_API_AUTHN event that results in a redirect:
{
"eventName":"SECURITY_API_AUTHN",
"eventSequenceNumber":"2",
"eventTime":"2018-07-24 13:03:24.142 EDT",
"initiator": {
"host": {
"address":"127.0.0.1",
"agent":"Apache-HttpClient/4.1.2 (java 1.5)"
}
},
"observer": {
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"name":"SecurityService",
"typeURI":"service/server"
},
"outcome":"failure",
"reason": {
"reasonCode":"401",
"reasonType":"HTTP"
},
"target": {
"appname":"ProgrammaticAPIServlet",
"credential": {
"token":"user2",
"type":"BASIC"
},
"host": {
"address":"127.0.0.1:8010"
},
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"method":"GET",
"name":"/basicauth/ProgrammaticAPIServlet",
"params":"testMethod=login,logout,login&user=user2&password=*******",
"realm":"BasicRealm",
"session":"MDqMWXO--7cmdu4Oqkt8J3i",
"typeURI":"service/application/web"
}
}
SECURITY_API_AUTHN_TERMINATE
You can use the SECURITY_API_AUTHN_TERMINATE event to capture the audit information from the log out for servlet APIs. The following table provides the fields for the SECURITY_API_AUTHN_TERMINATE event and a description of each field.
FIELDS | DESCRIPTION |
---|---|
eventName | Name of the audit event. |
eventSequenceNumber | Sequence number of the audit event. |
eventTime | Time that the event occurred. |
initiator.host.address | Host address of the initiator of the event. |
initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
observer.id | Identifier of the observer of the event. |
observer.name | Name of the observer of the event: |
observer.typeURI | Unique URI of the observer of the event: |
outcome | Outcome of the event. |
reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of |
reason.reasonType | A value that indicates the underlying mechanism, such as HTTP or HTTPS, that is associated with the request. |
target.appname | Name of the application to be accessed or run on the target. |
target.credential.token | Token name of the user that is performing the action. |
target.credential.type | Token type of the user that is performing the action, such as, BASIC, FORM or CLIENTCERT. |
target.host.address | Host and port of the target. |
target.id | Identifier of the target of the action. |
target.method | Method that is being invoked on the target, such as GET or POST. |
target.name | Context root. |
target.params | Names and values of any parameters that are sent to the target with the action. |
target.realm | Realm name that is associated with the target. |
target.session | HTTP Session ID. |
target.typeURI | Unique URI for the target of the event: |
The following example shows a successful SECURITY_API_AUTHN_TERMINATE event:
{
"eventName":"SECURITY_API_AUTHN_TERMINATE ",
"eventSequenceNumber":"3",
"eventTime":"2018-07-24 13:03:24.193 EDT",
"initiator": {
"host": {
"address":"127.0.0.1",
"agent":"Apache-HttpClient/4.1.2 (java 1.5)"
}
},
"observer": {
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"name":"SecurityService",
"typeURI":"service/server"
},
"outcome":"success",
"reason": {
"reasonCode":"200",
"reasonType":"HTTP"
},
"target": {
"appname":"ProgrammaticAPIServlet",
"credential": {
"token":"user1",
"type":"BASIC"
},
"host": {
"address":"127.0.0.1:8010"
},
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"method":"GET",
"name":"/basicauth/ProgrammaticAPIServlet",
"params":"testMethod=login,logout,login&user=user2&password=*******",
"realm":"BasicRealm",
"session":"MDqMWXO--7cmdu4Oqkt8J3i",
"typeURI":"service/application/web"
}
}
SECURITY_AUTHN
You can use the SECURITY_AUTHN event to capture the audit information from basic authentication, form login authentication, client certificate authentication, and JASPI authentication. The following table provides the fields for the SECURITY_AUTHN event and a description of each field.
FIELDS | DESCRIPTION |
---|---|
eventName | Name of the audit event. |
eventSequenceNumber | Sequence number of the audit event. |
eventTime | Time that the event occurred. |
initiator.host.address | Host address of the initiator of the event. |
initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
observer.id | Identifier of the observer of the event. |
observer.name | Name of the observer of the event: |
observer.typeURI | Unique URI of the observer of the event: |
outcome | Outcome of the event. |
reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of |
reason.reasonType | A value that indicates the underlying mechanism, such as HTTP or HTTPS, that is associated with the request. |
target.appname | Name of the application to be accessed or run on the target. |
target.credential.token | Token name of the user that is performing the action. |
target.credential.type | Token type of the user that is performing the action, such as, BASIC, FORM or CLIENTCERT. |
target.host.address | Host and port of the target. |
target.id | Identifier of the target of the action. |
target.method | Method that is being invoked on the target, such as GET or POST. |
target.name | Context root. |
target.params | Names and values of any parameters that are sent to the target with the action. |
target.realm | Realm name that is associated with the target. |
target.session | HTTP session ID. |
target.typeURI | Unique URI for the target of the event: |
The following example shows a successful SECURITY_AUTHN event:
{
"eventName":"SECURITY_AUTHN",
"eventSequenceNumber":"6",
"eventTime":"2018-07-24 13:03:28.652 EDT",
"initiator": {
"host": {
"address":"127.0.0.1",
"agent":"Apache-HttpClient/4.1.2 (java 1.5)"
}
},
"observer": {
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"name":"SecurityService",
"typeURI":"service/server"
},
"outcome":"success",
"reason": {
"reasonCode":"200",
"reasonType":"HTTP"
},
"target": {
"appname":"ProgrammaticAPIServlet",
"credential": {
"token":"user1",
"type":"BASIC"
},
"host": {
"address":"127.0.0.1:8010"
},
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"method":"GET",
"name":"/basicauth/ProgrammaticAPIServlet",
"params":"testMethod=login,logout,login&user=invalidUser&password=*********",
"realm":"BasicRealm",
"session":"vvmysQmVNHt4OfCRNIflZBt",
"typeURI":"service/application/web"
}
}
SECURITY_AUTHN_DELEGATION
You can use the SECURITY_AUTHN_DELEGATION event to capture the audit information from Servlet runAs
delegation and EJB delegation. The following table provides the fields for the SECURITY_AUTHN_DELEGATION event and a description of each field.
FIELDS | DESCRIPTION |
---|---|
eventName | Name of the audit event. |
eventSequenceNumber | Sequence number of the audit event. |
eventTime | Time that the event occurred. |
initiator.host.address | Host address of the initiator of the event. |
initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
observer.id | Identifier of the observer of the event. |
observer.name | Name of the observer of the event: |
observer.typeURI | Unique URI of the observer of the event: |
outcome | Outcome of the event. |
reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of |
reason.reasonType | A value that indicates the underlying mechanism, such as HTTP or HTTPS, that is associated with the request. |
target.appname | Name of the application to be accessed or run on the target. |
target.credential.token | Token name of the user that is performing the action. |
target.credential.type | Token type of the user that is performing the action, such as, BASIC, FORM or CLIENTCERT. |
target.delegation.users | List of users in the delegation flow, starting with the initial user that is invoking the action. |
target.host.address | Host and port of the target. |
target.id | Identifier of the target of the action. |
target.method | Method that is being invoked on the target, such as GET or POST. |
target.name | Context root. |
target.params | Names and values of any parameters that are sent to the target with the action. |
target.realm | Realm name that is associated with the target. |
target.runas.role | RunAs role name that is used in the delegation. |
target.session | HTTP session ID. |
target.typeURI | Unique URI for the target of the event: |
The following example shows a successful SECURITY_AUTHN_DELEGATION event:
{
"eventName":"SECURITY_AUTHN_DELEGATION ",
"eventSequenceNumber":"12",
"eventTime":"2018-07-16 10:38:02.281",
"initiator": {
"host": {
"address":"127.0.0.1",
"agent":"Apache-HttpClient/4.1.2 (java 1.5)"
}
},
"observer": {
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"name":"SecurityService",
"typeURI":"service/server"
},
"outcome":"success",
"reason": {
"reasonCode":"200",
"reasonType":"EJB"
},
"target": {
"appname":"SecurityEJBA01Bean",
"credential": {
"token":"user2",
"type":"BASIC"
},
"delegation": {
"users":"user:BasicRealm/user2; user:BasicRealm/user99"
},
"host": {
"address":"127.0.0.1:8010"
},
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"method":"GET",
"name":"/securityejb/SimpleServlet",
"params":"testInstance=ejb01&testMethod=runAsSpecified",
"realm":"BasicRealm",
"runas": {
"role":"Employee"
},
"session":"b3g01JoFvsy7uKDNBqH7An-",
"typeURI":"service/application/web"
}
}
SECURITY_AUTHN_FAILOVER
You can use the SECURITY_AUTHN_FAILOVER event to capture the audit information from failover to basic authentication. The following table provides the fields for the SECURITY_AUTHN_FAILOVER event and a description of each field.
FIELDS | DESCRIPTION |
---|---|
eventName | Name of the audit event. |
eventSequenceNumber | Sequence number of the audit event. |
eventTime | Time that the event occurred. |
initiator.host.address | Host address of the initiator of the event. |
initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
observer.id | Identifier of the observer of the event. |
observer.name | Name of the observer of the event: |
observer.typeURI | Unique URI of the observer of the event: |
outcome | Outcome of the event. |
reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of |
reason.reasonType | A value that indicates the underlying mechanism, such as HTTP or HTTPS, that is associated with the request. |
target.appname | Name of the application to be accessed or run on the target. |
target.authtype.failover | Name of the failover authentication mechanism. |
target.authtype.original | Name of the original authentication mechanism. |
target.credential.token | Token name of the user that is performing the action. |
target.credential.type | Token type of the user that is performing the action, such as, BASIC, FORM, or CLIENTCERT. |
target.host.address | Host and port of the target. |
target.id | Identifier of the target of the action. |
target.method | Method that is being invoked on the target, such as GET or POST. |
target.name | Context root. |
target.params | Names and values of any parameters that are sent to the target with the action. |
target.realm | Realm name that is associated with the target. |
target.session | HTTP session ID. |
target.typeURI | Unique URI for the target of the event: |
The following example shows a SECURITY_AUTHN_FAILOVER event:
{
"eventName":"SECURITY_AUTHN_FAILOVER",
"eventSequenceNumber":"4",
"eventTime":"2018-07-24 13:05:03.777 EDT",
"initiator": {
"host": {
"address":"127.0.0.1",
"agent":"Apache-HttpClient/4.1.2 (java 1.5)"
}
},
"observer": {
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"name":"SecurityService",
"typeURI":"service/server"
},
"outcome":"success",
"reason": {
"reasonCode":"200",
"reasonType":"HTTPS"
},
"target": {
"appname":"ClientCertServlet",
"authtype": {
"failover":"BASIC",
"original":"CLIENT_CERT"
},
"credential": {
"token":"LDAPUser1",
"type":"BASIC"
},
"host": {
"address":"127.0.0.1:8020"
},
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"method":"GET",
"name":"/clientcert/SimpleServlet",
"realm":"SampleLdapIDSRealm",
"session":"-7moVRZaL1mU2SVf0RHP28x",
"typeURI":"service/application/web"
}
}
SECURITY_AUTHN_TERMINATE
You can use the SECURITY_AUTHN_TERMINATE event to capture the audit information from a form logout. The following table provides the fields for the SECURITY_AUTHN_TERMINATE event and a description of each field.
FIELDS | DESCRIPTION |
---|---|
eventName | Name of the audit event. |
eventSequenceNumber | Sequence number of the audit event. |
eventTime | Time that the event occurred. |
initiator.host.address | Host address of the initiator of the event. |
initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
observer.id | Identifier of the observer of the event. |
observer.name | Name of the observer of the event: |
observer.typeURI | Unique URI of the observer of the event: |
outcome | Outcome of the event. |
reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of |
reason.reasonType | A value that indicates the underlying mechanism, such as HTTP or HTTPS, that is associated with the request. |
target.appname | Name of the application to be accessed or run on the target. |
target.authtype.failover | Name of the failover authentication mechanism. |
target.authtype.original | Name of the original authentication mechanism. |
target.credential.token | Token name of the user that is performing the action. |
target.credential.type | Token type of the user that is performing the action, such as, BASIC, FORM or CLIENTCERT. |
target.host.address | Host and port of the target. |
target.id | Identifier of the target of the action. |
target.method | Method that is being invoked on the target, such as GET or POST. |
target.name | Context root. |
target.params | Names and values of any parameters that are sent to the target with the action. |
target.realm | Realm name that is associated with the target. |
target.session | HTTP session ID. |
target.typeURI | Unique URI for the target of the event: |
The following example shows a SECURITY_AUTHN_TERMINATE event:
{
"eventName":"SECURITY_AUTHN_TERMINATE",
"eventSequenceNumber":"13"
"eventTime":"2018-07-24 13:02:50.813 EDT",
"initiator": {
"host": {
"address":"127.0.0.1",
"agent":"Apache-HttpClient/4.1.2 (java 1.5)"
}
},
"observer": {
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"name":"SecurityService",
"typeURI":"service/server"
},
"outcome":"success",
"reason": {
"reasonCode":"200",
"reasonType":"HTTP"
},
"target": {
"credential": {
"token":"user1",
"type":"FORM"
},
"host": {
"address":"127.0.0.1:8010"
},
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"method":"POST",
"name":"/formlogin/ibm_security_logout",
"realm":"BasicRealm",
"session":"oNbsJSCYJrg2SPqzlL-5YxG",
"typeURI":"service/application/web"
}
}
SECURITY_AUTHZ
You can use the SECURITY_AUTHZ event to capture the audit information from Java Authorization Contract for Containers (JACC) web authorization, unprotected servlet authorization, JACC EJB authorization, and EJB authorization. The following table provides the fields for the SECURITY_AUTHZ event and a description of each field.
FIELDS | DESCRIPTION |
---|---|
eventName | Name of the audit event. |
eventSequenceNumber | Sequence number of the audit event. |
eventTime | Time the event occurred. |
initiator.host.address | Host address of the initiator of the event. |
initiator.host.agent | Name of monitoring agent associated with the initiator. |
observer.id | Identifier of the observer of the event. |
observer.name | Name of the observer of the event: |
observer.typeURI | Unique URI of the observer of the event: |
outcome | Outcome of the event. |
reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of |
reason.reasonType | A value that indicates the underlying mechanism, such as HTTP and HTTPS, that is associated with the request. |
target.appname | Name of the application to be accessed or run on the target. |
target.credential.token | Token name of the user that is performing the action. |
target.credential.type | Token type of the user that is performing the action, such as, BASIC, FORM or CLIENTCERT. |
target.ejb.beanname | EJB bean name for EJB authorization. |
target.ejb.method.interface | EJB method interface for EJB authorization. |
target.ejb.method.signature | EJB method signature for EJB authorization. |
target.ejb.module.name | EJB module name for EJB authorization. |
target.host.address | Host and port of the target. |
target.id | Identifier of the target of the action. |
target.method | Method that is being invoked on the target, such as GET or POST. |
target.name | Context root. |
target.params | Names and values of any parameters that are sent to the target with the action. |
target.realm | Realm name that is associated with the target. |
target.role.names | Roles that are identified as being needed. If none are specified, permit all roles for EJBs. |
target.session | HTTP session ID. |
target.typeURI | Unique URI for the target of the event: |
The following example shows a successful WEB authorization event:
{
"eventName":"SECURITY_AUTHZ",
"eventSequenceNumber":"4",
"eventTime":"2018-07-16 10:37:56.259",
"initiator": {
"host": {
"address":"127.0.0.1",
"agent":"Apache-HttpClient/4.1.2 (java 1.5)"
}
},
"observer": {
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"name":"SecurityService",
"typeURI":"service/server"
},
"outcome":"success",
"reason": {
"reasonCode":"200",
"reasonType":"HTTP"
},
"target": {
"appname":"SecurityEJBServlet",
"credential": {
"token":"user2",
"type":"BASIC"
},
"host": {
"address":"127.0.0.1:8010"
},
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"method":"GET",
"name":"/securityejb/SimpleServlet",
"params":"testInstance=ejb01&testMethod=runAsSpecified",
"realm":"BasicRealm",
"role": {
"names":"[AllAuthenticated]"
},
"session":"NNLU_QCIGIOPHhKLWY1BxVJ",
"typeURI":"service/application/web"
}
}
The following example shows a successful EJB authorization:
{
"eventName":"SECURITY_AUTHZ",
"eventSequenceNumber":"5",
"eventTime":"2018-07-16 10:37:56.719",
"initiator": {
"host": {
"address":"127.0.0.1",
"agent":"Apache-HttpClient/4.1.2 (java 1.5)"
}
},
"observer": {
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"name":"SecurityService",
"typeURI":"service/server"
},
"outcome":"success",
"reason": {
"reasonCode":"200",
"reasonType":"EJB Permit All"
},
"target": {
"appname":"securityejb",
"credential": {
"token":"user2",
"type":"BASIC"
},
"ejb": {
"beanname":"SecurityEJBA01Bean",
"method": {
"interface":"Local",
"signature":"runAsSpecified:"
},
"module": {
"name":"SecurityEJB.jar"
}
},
"host": {
"address":"127.0.0.1:8010"
},
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"method":"runAsSpecified",
"name":"/securityejb/SimpleServlet",
"params":"testInstance=ejb01&testMethod=runAsSpecified",
"realm":"BasicRealm",
"session":"NNLU_QCIGIOPHhKLWY1BxVJ",
"typeURI":"service/application/web"
}
}
SECURITY_JMS_AUTHN
You can use the SECURITY_JMS_AUTHN event to capture the audit information from JMS authentication. The following table provides the fields for the SECURITY_JMS_AUTHN event and a description of each field.
FIELDS | DESCRIPTION |
---|---|
eventName | Name of the audit event. |
eventSequenceNumber | Sequence number of the audit event. |
eventTime | Time that the event occurred. |
initiator.host.address | Host address of the initiator of the event. |
initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
observer.id | Identifier of the observer of the event. |
observer.name | Name of the observer of the event: |
observer.typeURI | Unique URI of the observer of the event: |
outcome | Outcome of the event. |
reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of |
reason.reasonType | A value that indicates the underlying mechanism, such as HTTP, HTTPS, JMS, or EJB, that is associated with the request. |
target.credential.token | Token name of the user that is performing the action. |
target.credential.type | Token type of the user that is performing the action. |
target.host.address | Host and port of the target. |
target.id | Identifier of the target of the action. |
target.messaging.busname | Name of messaging bus. |
target.messaging.callType | Identifies if call is remote or local. |
target.messaging.engine | Name of the messaging engine. |
target.messaing.loginType | Name of the login algorithm that is used, such as Userid+Password. |
target.messaging.remote.chainName | If the operation is remote, the name of the remote chain name. |
target.realm | Realm name that is associated with the target. |
target.typeURI | Unique URI for the target of the event: |
The following example shows a successful SECURITY_JMS_AUTHN event:
{
"eventName":"SECURITY_JMS_AUTHN",
"eventSequenceNumber":"10",
"eventTime":"2018-07-19 14:33:51.135 EDT",
"observer": {
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"name":"JMSMessagingImplementation",
"typeURI":"service/server"
},
"outcome":"success",
"reason": {
"reasonCode":"200",
"reasonType":"JMS"
},
"target": {
"credential": {
"token":"validUser",
"type":"BASIC"
},
"host": {
"address":"127.0.0.1:53166"
},
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"messaging": {
"busname":"defaultBus",
"callType":"remote",
"engine":"defaultME",
"loginType":"Userid+Password",
"remote": {
"chainName":"InboundBasicMessaging"
}
},
"realm":"customRealm",
"typeURI":"service/jms/messagingEngine"
}
}
SECURITY_JMS_AUTHZ
You can use the SECURITY_JMS_AUTHZ event to capture the audit information from JMS authorization. The following table provides the fields for the SECURITY_JMS_AUTHZ event and a description of each field.
FIELDS | DESCRIPTION |
---|---|
eventName | Name of the audit event. |
eventSequenceNumber | Sequence number of the audit event. |
eventTime | Time that the event occurred. |
initiator.host.address | Host address of the initiator of the event. |
initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
observer.id | Identifier of the observer of the event. |
observer.name | Name of the observer of the event: |
observer.typeURI | Unique URI of the observer of the event: |
outcome | Outcome of the event. |
reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of |
reason.reasonType | A value that indicates the underlying mechanism, such as HTTP, HTTPS, JMS, or EJB, that is associated with the request. |
target.credential.token | Token name of the user that is performing the action. |
target.credential.type | Token type of the user that is performing the action. |
target.host.address | Host and port of the target. |
target.id | Identifier of the target of the action. |
target.messaging.busname | Name of the messaging bus. |
target.messaging.callType | Identifies if the call is remote or local. |
target.messaging.destination | Name of the messaging destination. |
target.messaging.engine | Name of the messaging engine. |
target.messaging.jmsActions | List of the actions that the credential is allowed. |
target.messaging.jmsResource | Name of the JMS resource, such as QUEUE, TOPIC, or TEMPORARY DESTINATION. |
target.messaging.operationType | Name of the operation that is being requested. |
target.messaging.remote.chainName | If the operation is remote, the name of the remote chain name. |
target.realm | Realm name that is associated with the target. |
target.typeURI | Unique URI for the target of the event: |
The following example shows a successful SECURITY_JMS_AUTHZ event:
{
"eventName":"SECURITY_JMS_AUTHZ",
"eventSequenceNumber":"11",
"eventTime":"2018-07-19 14:33:51.247 EDT",
"observer": {
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"name":"JMSMessagingImplementation",
"typeURI":"service/server"
},
"outcome":"success",
"reason": {
"reasonCode":"200",
"reasonType":"JMS"
},
"target": {
"credential": {
"token":"validUser",
"type":"BASIC"
},
"host": {
"address":"127.0.0.1:53166"
},
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"messaging": {
"busname":"defaultBus",
"callType":"remote",
"destination":"BANK",
"engine":"defaultME",
"jmsActions":"[BROWSE, SEND, RECEIVE]",
"jmsResource":"queue",
"operationType":"SEND",
"remote": {
"chainName":"InboundBasicMessaging"
}
},
"realm":"customRealm",
"typeURI":"service/jms/messagingResource"
}
}
SECURITY_SAF_AUTHZ
You can use the SECURITY_SAF_AUTHZ event to capture the audit information from a request to the SAF Authorization Service API. The following table provides the fields for the SECURITY_SAF_AUTHZ event and a description of each field:
FIELDS | DESCRIPTION |
---|---|
eventName | Name of the audit event. |
eventSequenceNumber | Sequence number of the audit event. |
eventTime | Time that the event occurred. |
observer.id | Identifier of the observer of the event. |
observer.name | Name of the observer of the event: |
observer.typeURI | Unique URI of the observer of the event: |
outcome | Outcome of the event. |
target.access.level | Level of access that is requested. |
target.applid | Identifier of the APPL class. |
target.authorization.decision | A |
target.credential.token | Token name of the user that is performing the action. |
target.id | Identifier of the target of the action. |
target.racf.reason.code | RACF reason code. |
target.racf.return.code | RACF return code. |
target.saf.class | Name of the SAF class that contains the SAF resource. |
target.saf.profile | Name of the SAF resource that the user requests access to. |
target.saf.return.code | SAF return code. |
target.typeURI | Unique URI for the target of the event: |
target.user.security.name | Username whose access to a SAF resource is being checked. |
The following example shows a successful SECURITY_SAF_AUTHZ event:
{
"eventName": "SECURITY_SAF_AUTHZ",
"eventSequenceNumber": "4",
"eventTime": "2019-04-29T19:45:16.161+0000",
"observer": {
"id": "websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
"name": "SecurityService",
"typeURI": "service/server"
},
"outcome": "success",
"target": {
"access": {
"level": "READ"
},
"applid": "BBGZDFLT",
"authorization": {
"decision": "true"
},
"credential": {
"token": "WSGUEST"
},
"id": "websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
"racf": {
"reason": {
"code": "0"
},
"return": {
"code": "0"
}
},
"saf": {
"class": "EJBROLE",
"profile": "BBGZDFLT.AUTHSERV",
"return": {
"code": "0"
}
},
"typeURI": "service/application/web",
"user": {
"security": {
"name": "WSGUEST"
}
}
}
}
SECURITY_SAF_AUTHZ_DETAILS
You can use the SECURITY_SAF_AUTHZ_DETAILS event to capture the audit information from a SAF Authorization event that is configured to throw a SAF authorization exception on failure. The following table provides the fields for the SECURITY_SAF_AUTHZ_DETAILS event and a description of each field:
FIELDS | DESCRIPTION |
---|---|
eventName | Name of the audit event. |
eventSequenceNumber | Sequence number of the audit event. |
eventTime | Time that the event occurred. |
observer.id | Identifier of the observer of the event. |
observer.name | Name of the observer of the event: |
observer.typeURI | Unique URI of the observer of the event: |
outcome | Outcome of the event. |
target.access.level | Level of the access that is requested. |
target.applid | Identifier of the APPL class. |
target.authorization.decision | A |
target.credential.token | Token name of the user that is performing the action. |
target.id | Identifier of the target of the action. |
target.racf.reason.code | RACF reason code. |
target.racf.return.code | RACF return code. |
target.saf.class | Name of the SAF class that contains the SAF resource. |
target.saf.profile | Name of the SAF resource that the user requests access to. |
target.saf.return.code | SAF return code. |
target.typeURI | Unique URI for the target of the event: |
target.user.security.name | Username whose access to a SAF resource is being checked. |
The following example shows a successful SECURITY_SAF_AUTHZ_DETAILS event:
{
"eventName": "SECURITY_SAF_AUTHZ_DETAILS",
"eventSequenceNumber": "5",
"eventTime": "2019-04-30T13:59:11.688+0000",
"observer": {
"id": "websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
"name": "SecurityService",
"typeURI": "service/server"
},
"outcome": "success",
"target": {
"applid": "BBGZDFLT",
"authorization": {
"decision": "true"
},
"credential": {
"token": "WSGUEST"
},
"id": "websphere: sage.xyz.com:/opt/ol/wlp/usr/:TestServer.audit",
"racf": {
"reason": {
"code": "0"
},
"return": {
"code": "0"
}
},
"saf": {
"class": "EJBROLE",
"profile": "BBGZDFLT.AUTHSERV",
"return": {
"code": "0"
}
},
"user": {
"security": {
"name": "RSTUSR1"
}
}
}
}
JMX_MBEAN_REGISTER
You can use the JMX_MBEAN_REGISTER event to capture the audit information from JMX MBean registration. The following table provides the fields for the JMX_MBEAN_REGISTER event and a description of each field.
FIELDS | DESCRIPTION |
---|---|
eventName | Name of the audit event. |
eventSequenceNumber | Sequence number of the audit event. |
eventTime | Time that the event occurred. |
initiator.host.address | Host address of the initiator of the event. |
initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
observer.id | Identifier of the observer of the event. |
observer.name | Name of the observer of the event: |
observer.typeURI | Unique URI of the observer of the event: |
outcome | Outcome of the event. |
reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of |
reason.reasonType | A value that indicates the underlying mechanism, such as HTTP, HTTPS, JMS, or EJB, that is associated with the request, or the state behind the outcome. |
target.id | Identifier of the target of the action. |
target.jmx.mbean.action | MBean action being performed: register, unregister. |
target.jmx.mbean.name | Name of the MBean being acted upon. |
target.realm | Realm name that is associated with the target. |
target.typeURI | Unique URI for the target of the event: |
The following example shows a successful JMX_MBEAN_REGISTRATION event:
{
"eventName":"JMX_MBEAN_REGISTER",
"eventSequenceNumber":"12",
"eventTime":"2018-07-25 14:42:40.772 EDT",
"observer": {
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"name":"JMXService",
"typeURI":"service/server"
},
"outcome":"success",
"reason": {
"reasonCode":"200",
"reasonType":"Successful MBean registration"
},
"target": {
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"jmx": {
"mbean": {
"action":"registerMBean",
"name":"web:name=ClassLoaderMBean"
}
},
"realm":"QuickStartSecurityRealm",
"typeURI":"server/mbean"
}
}
JMX_MBEAN
You can use the JMX_MBEAN event to capture the audit information from JMX_MBEAN operations. The following table provides the fields for the JMX_MBEAN event and a description of each field.
FIELDS | DESCRIPTION |
---|---|
eventName | Name of the audit event. |
eventSequenceNumber | Sequence number of the audit event. |
eventTime | Time that the event occurred. |
initiator.host.address | Host address of the initiator of the event. |
initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
observer.id | Identifier of the observer of the event. |
observer.name | Name of the observer of the event: |
observer.typeURI | Unique URI of the observer of the event: |
outcome | Outcome of the event. |
reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of |
reason.reasonType | A value that indicates the underlying mechanism, such as HTTP, HTTPS, JMS, or EJB, that is associated with the request, or the state behind the outcome. |
target.id | Identifier of the target of the action. |
target.jmx.mbean.action | MBean action being performed: query, create, invoke. |
target.jmx.mbean.name | Name of the MBean being acted upon. |
target.realm | Realm name that is associated with the target. |
target.typeURI | Unique URI for the target of the event: |
The following example shows a successful query of an MBean JMS_MBEAN event:
{
"eventName":"JMX_MBEAN",
"eventSequenceNumber":"24",
"eventTime":"2018-07-25 14:42:44.119 EDT",
"observer": {
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"name":"JMXService",
"typeURI":"service/server"
},
"outcome":"success",
"reason": {
"reasonCode":"200",
"reasonType":"Successful query of MBeans"
},
"target": {
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"jmx": {
"mbean": {
"action":"queryMBeans",
"name":"java.lang:type=Threading"
}
},
"realm":"QuickStartSecurityRealm",
"typeURI":"server/mbean"
}
}
JMX_MBEAN_ATTRIBUTES
You can use the JMX_MBEAN_ATTRIBUTES event to capture the audit information from JMX MBEAN attribute operations. The following table provides the fields for the JMX_MBEAN_ATTRIBUTES event and a description of each field.
FIELDS | DESCRIPTION |
---|---|
eventName | Name of the audit event. |
eventSequenceNumber | Sequence number of the audit event. |
eventTime | Time that the event occurred. |
initiator.host.address | Host address of the initiator of the event. |
initiator.host.agent | Name of the monitoring agent that is associated with the initiator. |
observer.id | Identifier of the observer of the event. |
observer.name | Name of the observer of the event: |
observer.typeURI | Unique URI of the observer of the event: |
outcome | Outcome of the event. |
reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of |
reason.reasonType | A value that indicates the underlying mechanism, such as HTTP, HTTPS, JMS, or EJB that is associated with the request, or the state behind the outcome. |
target.id | Identifier of the target of the action. |
target.jmx.mbean.action | MBean action that is being performed on the MBean attribute. getAttribute and setAttribute methods are supported. |
target.jmx.mbean.attribute.names | Name of one or more attributes being acted upon. |
target.jmx.mbean.name | Name of the MBean that is being acted upon. |
target.realm | Realm name that is associated with the target. |
target.typeURI | Unique URI for the target of the event: |
The following example shows a successful JMX_MBEAN_ATTRIBUTES event:
{
"eventName":"JMX_BEAN_ATTRIBUTES",
"eventSequenceNumber":"43",
"eventTime":"2018-07-25 14:42:51.070 EDT",
"observer": {
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"name":"JMXService",
"typeURI":"service/server"
},
"outcome":"success",
"reason": {
"reasonCode":"200",
"reasonType":"Successful retrieval of MBean attributes"
},
"target": {
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"jmx": {
"mbean": {
"action":"getAttributes",
"attribute": {
"names":"[TotalStartedThreadCount = 132][CurrentThreadCpuTimeSupported = true]"
},
"name":"java.lang:type=Threading"
}
},
"realm":"QuickStartSecurityRealm",
"typeURI":"server/mbean"
}
}
JMX_NOTIFICATION
You can use the JMX_NOTIFICATION event to capture the audit information from JMX notifications. The following table provides the fields for the JMX_NOTIFICATION event and a description for each field.
FIELDS | DESCRIPTION |
---|---|
eventName | Name of the audit event. |
eventSequenceNumber | Sequence number of the audit event. |
eventTime | Time that the event occurred. |
observer.id | Identifier of the observer of the event. |
observer.name | Name of the observer of the event: |
observer.typeURI | Unique URI of the observer of the event: |
Outcome | Outcome of the event. |
reason.reasonCode | A value that indicates the underlying success or error code for the outcome. In general, a value of |
reason.reasonType | A value that indicates the underlying mechanism, such as HTTP, HTTPS, JMS, or EJB, that is associated with the request, or the state behind the outcome. |
target.id | Identifier of the target of the action. |
target.jmx.mbean.action | MBean action that is being performed on one or more MBean attributes. |
target.jmx.notification.filter | Name of the notification filter. |
target.jmx.notification.listener | Name of the notification listener. |
target.jmx.notification.name | Name of the notification. |
target.realm | Realm name that is associated with the target. |
target.typeURI | Unique URI for the target of the event: |
The following example shows a successful JMX_NOTIFICATION:
{
"eventName":"JMX_NOTIFICATION",
"eventSequenceNumber":"37",
"eventTime":"2018-07-25 14:27:24.303 CDT",
"observer": {
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"name":"JMXService",
"typeURI":"service/server"
},
"outcome":"success",
"reason": {
"reasonCode":"200",
"reasonType":"Successful add of notification listener"
},
"target": {
"id":"websphere: sage.xyz.com:/opt/ol/wlp/usr/:scim.custom.repository.audit",
"jmx": {
"mbean": {
"action":"addNotificationListener"
},
"notification": {
"filter":"com.ibm.ws.jmx.connector.server.rest.notification.ClientNotificationFilter",
"listener":"com.ibm.ws.jmx.connector.server.rest.notification.ClientNotificationListener",
"name":"web:name=Notifier1"
}
},
"realm":"QuickStartSecurityrealm",
"typeURI":"server/mbean/notification"
}
}